www.pdpjournals.i 


PRIVACY  &  DATA  PROTECTION 


VOLUME  19,  ISSUE  7 


Data  Subject 
Access 
Requests  — 
three 

illuminating 
UK  cases 


Kate  Brimsted,  Partner  and 
UK  Head  of  Data  Privacy 
and  Cyber  Security ,  and 
Tom  Evans,  Associate, 
with  Bryan  Cave  Leighton 
Paisner,  highlight  three 
cases  in  the  UK  which 
illustrate  the  current  trends 
and  issues  with  DSARs 


A  session  on  The  Changing 
Face  of  Subject  Access  under 
the  GDPFt’  features  on  day  1  of 
the  1 8th  Annual  Data  Protection 
Practical  Compliance  Confer¬ 
ence,  taking  place  in  London 
on  10th  and  11th  October. 

See  the  website  for  details 
www.pdpconferences.com 


Like  the  proverbial  bus,  data 

protection  specialists  can  wait 
a  while  for  a  significant  case 
on  data  subject  access  re¬ 
quests  (‘DSARs’)  only  to  find  that  sev¬ 
eral  come  along  in  close  succession! 
This  article  highlights  three  English 
court  judgments  and  an  Upper  T ribunal 
decision,  all  of  which  apply  the  pre- 
GDPR  legal  framework  though  they 
illustrate  trends  and  issues  which  are 
equally  relevant  under  the  current  law. 


Individuals  seeking  to  enforce  their 
access  rights  in  the  English  courts 
have  met  with  varying  degrees  of 
success  over  the  years.  In  early  cases 
such  as  Durant  v  Financial  Services 
Authority  2003,  senior  judges  derided 
the  ‘misguided’  attempts  of  claimants 
to  “use  the  machinery  of  the  [Data 
Protection  Act  1998]  as  a  proxy  for  third 
party  discovery  with  a  view  to  litigation”. 
However,  for  almost  a  decade  now  the 
right  of  access  to  personal  data  has 
been  a  fundamental  human  right  in  EU 
law,  as  enshrined  in  Article  8  of  the  EU 
Charter  of  Fundamental  Rights.  More 
recent  cases,  together  with  a  maturing 
of  the  data  protection  legislative  envi¬ 
ronment  and  a  change  in  societal  atti¬ 
tudes  towards  ‘data’  and  individual  au¬ 
tonomy,  have  indicated  a  marked  shift 
towards  those  making  DSARs. 

The  cases  described  below  demon¬ 
strate  the  significant  lengths  to  which 
controllers  are  now  expected  to  go 
when  responding  to  a  valid  DSAR. 

It  is  notable  that  each  of  these  deci¬ 
sions  were  made  under  the  Data  Pro¬ 
tection  Act  1998  (the  ‘DPA  1998’)  which 
was  the  law  in  place  before  the  General 
Data  Protection  Regulation  (‘GDPR’). 
Given  the  boost  to  individuals’  rights 
provided  by  the  GDPR,  along  with 
the  increased  accountability  and 
transparency  obligations  for  controllers, 
the  direction  of  travel  suggests  this 
most  powerful  right  will  pose  increasing 
challenges  for  compliance. 


Dawson-Damer:  ‘Relevant 
filing  system’,  reasonable  and 
proportionate  searching  and 
consistency  when  withholding 
information 

On  19th  May  2019,  judgment  was  given 
in  the  latest  instalment  in  the  Dawson- 
Damer  trusts  litigation  ( Dawson-Damer 
v  Taylor  Wessing  [201 9]  EWHC 


1258  (Ch))  which  saw  the  High  Court 
consider  some  fundamental  concepts 
for  DSARs. 

The  underlying  dispute  arose  from 
the  restructuring  of  a  number  of  private 
family  trusts  in  a  manner  which  the 
claimants  felt  unfairly  disadvantaged 
by.  In  2014,  DSARs  were  made  by  the 
claimants,  who  are  beneficiaries  of  the 
trusts.  The  English  solicitors  advising 
the  trustees,  TW,  also  received  DSARs 
from  the  beneficiaries.  Trust-related 
litigation  was  then  brought  in  the 
Bahamas  against  the  trustees. 

In  responding  to  the  DSARs,  TW 
asserted  that  all  personal  data  of  the 
claimants  held  by  them  was  covered  by 
legal  professional  privilege  (‘LPP’)  and 
therefore  exempt  from  disclosure.  The 
claimants  applied  to  the  English  High 
Court  to  request  that  the  court  exercise 
its  discretion  to  order  TW  to  comply 
with  the  DSARs.  At  first  instance,  the 
judge  considered  that  the  LPP  exemp¬ 
tion  applied,  and  that  any  further  search 
by  TW  would  be  disproportionate.  The 
court  ruled  that  it  would  not  exercise  its 
discretion  to  order  a  response  to  the 
DSARs,  because  the  real  motive  was 
to  use  information  in  the  Bahamas  in 
proceedings,  and  this  was  not  a  proper 
use  of  the  DSAR  process.  The  matter 
was  appealed  in  2017  and  overturned 
by  the  Court  of  Appeal  on  all  three 
points.  Following  that,  it  was  remitted 
back  to  the  High  Court  and  judgment 
given  in  May  2019. 

The  main  points  determined  were 
whether  the  paper  files  maintained  by 
TW  before  it  moved  to  electronic  files 
in  2005  were  a  ‘relevant  filing  system’ 
and  whether  TW  had  breached  its 
obligations  by  failing  or  refusing  to 
carry  out  a  reasonable  and  proportion¬ 
ate  search  and  by  redacting  or  with¬ 
holding  the  claimants’  non-exempt 
personal  data. 

Whether  the  paper  files  constituted  a 
‘relevant  filing  system’  under  the 
DPA  1998 

This  question  is  fundamental  when  it 
comes  to  determining  the  kind  of  mate¬ 
rial  which  comes  within  the  scope  of  a 
DSAR.  This  is  because,  generally 
speaking,  information  held  solely  in 
paper  files  (sometimes  called  ‘manual 
data’)  is  in  scope  only  if  it  is  part  of  a 
‘relevant  filing  system’,  meaning  that 
the  information  is  organised  in  such  a 


www.pdpjournals.i 


PRIVACY  &  DATA  PROTECTION 


VOLUME  19,  ISSUE  7 


way  as  to  allow  specific  information 
about  particular  individuals  to  be 
readily  accessed.  (A  similar  principle 
also  applies  in  the  GDPR,  within  the 
definition  of  ‘filing  system’).  In  this 
case,  the  solicitors  held  paper  files 
dating  back  many  years.  One  set 
of  35  files  was  described  as  relating 
to  the  ‘Yuills  Trusts’  containing  corre¬ 
spondence  in  chronological  order  and 
some  documents  which  were  not  date 
sorted. 

The  court  held  that  the  information 
was  held  in  a  ‘relevant  filing  system’, 
meaning  the  solicitors  were  required 
to  search  the  files  for  any  personal 
data  of  the  claimants. 

This  was  a  departure  from  the  narrow 
finding  of  ‘relevant  filing  system’  in 
Durant  v  Financial  Services  Authority, 
with  the  court  favouring  the  wider  test 
set  out  by  the  CJEU  in  re  Tietosuoja- 
valtuutettu  (Case  C-25/17).  The 
Judge  noted  that  the  Durant  case  was 
decided  before  the  right  to  protection 
of  personal  data  was  enshrined  as  a 
fundamental  right  in  EU  law  and  that 
the  perspective  on  the  right  to  protec¬ 
tion  of  personal  data  has  altered:  the 
focus  is  now  on  the  need  for  protec¬ 
tion  of  the  data  subject  as  opposed 
to  the  burden  on  the  controller.  The 
Judge  specifically  commented  that 
the  level  of  protection  that  right  has 
received  in  the  English  courts  has 
increased,  and  it  was  unduly  restric¬ 
tive  and  could  create  a  serious  risk 
of  circumvention,  to  apply  the  Durant 
approach,  i.e.  requiring  that  there 
must  be  a  structured  referencing 
mechanism,  containing  a  sufficiently 
sophisticated  and  detailed  means  of 
readily  indicating  whether  and  where 
in  an  individual  file  specific  criteria  or 
information  about  the  applicant  can 
be  readily  located. 

As  the  category  of  files  in  question 
clearly  related  to  trusts  in  which 
the  claimants,  or  at  least  the  first 
claimant,  was  a  potential  beneficiary, 
the  court  held  that  description  was 
a  criterion  which  allowed  access  to 
their  personal  data.  Giving  the  words 
‘relating  to  individuals’  an  extensive 
interpretation,  the  court  found  that  the 
fact  that  the  files  related  to  trusts  in 
which  one  or  all  of  the  claimants  were 
potential  beneficiaries,  was  sufficient 
to  satisfy  that  requirement.  The  ques¬ 
tion  of  whether  the  specific  criteria 
enabled  the  data  to  be  ‘easily  re¬ 


trieved’  was  then  considered.  The 
Judge  noted  that  the  files  in  question 
were  arranged  in  chronological  order 
and  it  would  require  someone  to  turn 
the  pages  to  locate  the  personal  data. 
Having  a  trainee  turn  the  pages  of  the 
files  to  identify  personal  data  and  then 
having  it  reviewed  by  a  senior  associ¬ 
ate  was  not  unduly  onerous,  and 
therefore  enabled  any  personal 
data  of  the  claimants  to  be  ‘easily 
retrieved’. 

The  judgment  suggests  that  respond¬ 
ents  to  DSARs  will  likely  be  expected 
to  consider  all  files,  regardless  of  their 
physical  format,  where  they  are  or¬ 
ganised  in  some  meaningful  fashion 
that  allows  both  identification  of  the 
data  subject  and  the  structured 
searching  of  the  documents.  The 
GDPR  includes  a  definition  of  ‘filing 
system’  at  Article  4(6)  and  it  is  rea¬ 
sonable  to  expect  that  this  will  be 
construed  accordingly. 

What  amounted  to  ‘reasonable 
and  proportionate’  searches  for 
personal  data? 

The  court  found  that  TW  had  failed 
to  provide  evidence  establishing  the 
time  and  cost  involved  in  conducting 
a  further  search  for  the  claimants’ 
personal  data,  meaning  TW  did 
not  discharge  the  burden  of  showing 
that  such  a  search  would  be  dispro¬ 
portionate.  It  also  appeared  to  be  to 
the  claimants’  advantage  that  they 
had  produced  a  targeted  list  of 
further  searches  and  the  court 
held  that  TW  had  not  discharged  its 
burden  of  showing  all  of  these  further 
searches  would  be  disproportionate. 

The  judgment  affirms  that  the  burden 
is  on  the  controller  to  prove  that  it 
has  discharged  this,  and  that  giving 
an  indication  of  cost  or  time  that 
would  be  entailed  in  going  beyond 
what  had  been  undertaken  could  be 
helpful.  The  court  firmly  rejected  the 
argument  that  the  claimants’  motiva¬ 
tion  to  use  the  DSARs  as  an  addition¬ 
al  disclosure  exercise  in  relation 
to  the  Bahamian  trust  proceedings 
was  a  relevant  factor  in  deciding 
what  was  ‘proportionate’  (or  not). 

The  ruling  may  impact  future  interpre¬ 
tation  of  Article  12(5)  of  the  GDPR, 
which  provides  that  where  requests 
made  by  a  data  subject  are 
‘manifestly  unfounded  or  excessive’ 


the  controller  may  either  charge  a 
reasonable  fee  for  its  services  or  re¬ 
fuse  to  act.  The  controller  is  obligated 
to  ‘bear  the  burden  of  demonstrating 
the  manifestly  unfounded  or  exces¬ 
sive  character  of  the  request’.  This 
judgment  underlines  this  last  point, 
suggesting  courts  will  take  seriously 
a  controller’s  evidential  burden  in 
justifying  a  refusal  to  answer  a  DSAR. 
In  this  sense  this  judgment  appears 
to  foreshadow  the  accountability 
requirements  of  the  GDPR  and 
Article  12(5). 

Redaction  and  the  withholding  of 
personal  data 

The  court  examined  a  small  sample 
of  redacted  documents  which  the 
claimants  indicated  demonstrated 
an  inconsistent  or  incorrect  approach 
to  redaction;  the  Judge  then  ruled  that 
it  was  clear  in  some  instances  there 
had  been  more  redaction  than  there 
should  have  been.  Unfortunately  for 
TW,  the  court  found  the  appropriate 
course  was  for  TW  to  review  the  other 
redactions  it  had  made  and  apply  the 
principles  arising  from  the  Judge’s 
examination  of  the  samples,  ensuring 
consistency  of  approach. 

The  judgment  also  discussed  the  ap¬ 
plication  of  the  LPP  exemption  in  the 
context  of  trust  law  and  the  applicabil¬ 
ity  of  law  (English  and  Bahamian). 

Green  v  SCL  Group:  The 
special  role  of  insolvency 
practitioners 

On  17th  April  2019,  the  High  Court 
confirmed  in  this  case  (Vincent  John 
Green,  Mark  Newman  (as  joint  Ad¬ 
ministrators  of  each  of  the  Compa¬ 
nies)  v  SCL  Group  Limited,  SCL  Ana¬ 
lytics  Limited,  SCL  Commercial  Lim¬ 
ited,  SCL  Social  Limited,  SCL  Elec¬ 
tions  Limited,  Cambridge  Analytica 
(UK)  Limited  [2019]  EWHC  954  (Ch) 
that  administrators  (like  liquidators) 
are  not  ‘controllers’  of  personal  data, 
meaning  they  are  not  required  to  re¬ 
spond  to  DSARs  issued  against  the 
companies  over  which  they  have 
been  appointed. 


(Continued  on  page  8) 


www.pdpjournals.com 


(Continued  from  page  7) 

In  the  aftermath  of  the  Cambridge 
Analytica  scandal,  numerous  compa¬ 
nies  within  the  Cambridge  Analytica 
group  suffered  severe  financial  losses 
and  administrators  were  appointed. 
Unknown  by  the  administrators  at 
the  time  of  their  appointment,  the 
situation  had  been  compounded  by 
the  seizure  by  the  Information  Com¬ 
missioner’s  Office  (the  ‘ICO’)  of  the 
companies’  equipment  and  servers, 
meaning  they  were  unable  to  contin¬ 
ue  trading.  A  creditor  in  the  US,  Pro¬ 
fessor  Carroll  (‘C’)  had  made  DSARs 
which  had  not  been  responded  to, 
and  the  ICO  then  issued  Enforcement 
Notices  against  the  company.  Follow¬ 
ing  a  failed  administration  process, 
the  administrators  requested  that 
they  be  appointed  liquidators  of 
the  various  companies. 

The  creditor’s  DSARs 

C  objected  to  the  appointment  of 
the  administrators  as  liquidators,  as¬ 
serting  that  the  administrators  had 
breached  duties  they  owed  to  data 
subjects  under  data  protection  laws, 
as  well  as  making  objections  based 
on  insolvency  law.  The  creditor  had 
made  a  DSAR  to  two  group  compa¬ 
nies,  requesting  details  of  his  person¬ 
al  data.  After  no  response  was  provid¬ 
ed,  C’s  complaint  to  the  ICO  led  to 
Enforcement  Notices  being  issued 
under  the  Data  Protection  Act  1998  to 
compel  compliance  with  the  DSARs. 
The  companies  were  subsequently 
prosecuted  for  failure  to  comply  with 
the  Enforcement  Notices. 

The  data  protection  status  of 
administrators 

In  referring  to  established  case  law, 
the  High  Court  noted  that  liquidators 
who  operate  as  agents  on  behalf  of 
a  company  cannot  be  controllers  of 
personal  data  unless  the  liquidator 
takes  decisions  about  the  processing 
of  personal  data  as  principal.  The 
court  found  the  same  reasoning 
also  applies  to  administrators. 

In  a  ruling  which  will  be  of  great  relief 
to  liquidators  and  administrators  con¬ 
cerned  about  the  possible  broadening 
of  their  own  administrative  duties,  the 
court  also  held  that  neither  liquidators 
nor  administrators  are  obligated  to 
investigate  breaches  of  data  protec¬ 


PRIVACY  &  DATA  PROTECTION 


tion  law  by  a  company.  The  court  de¬ 
termined  that  any  data  protection  in¬ 
vestigations  should  remain  within  the 
purview  of  external  regulators,  such 
as  the  ICO  in  the  UK. 


Rudd  v  Bridle:  application 
of  exemptions  and  extent 
of  transparency  information 

On  10th  April  2019,  the  High  Court 
ruled  in  Rudd  v  Bridle  [2019]  EHC 
893  (QB)  that  information  provided  to 
the  claimant,  Dr  Rudd,  in  response  to 
a  DSAR  made  by  him  under  the  DPA 
1998  had  been  inadequate.  The  court 
ordered  significant  further  disclosure 
by  the  recipient  of  the  DSAR. 

Dr  Rudd  is  a  medical  doctor  specialis¬ 
ing  in  the  science  of  exposure  to  as¬ 
bestos  and  the  causal  connections 
with  lung  diseases.  He  has  given  ex¬ 
pert  evidence  in  many  cases  over  the 
last  35  years  in  which  claimants  have 
sought  damages  allegedly  caused  by 
exposure  to  asbestos. 

The  defendant,  Mr  Bridle,  formerly 
worked  in  the  building  industry, 
including  manufacturing  products 
containing  asbestos;  he  now  runs  a 
company,  Asbestos  Watch,  which 
appears  to  undertake  lobbying  on 
behalf  of  the  industry.  Dr  Rudd  and 
Mr  Bridle  profoundly  disagree  regard¬ 
ing  the  role  of  asbestos  in  causing 
disease,  and  Mr  Bridle  called  into 
question  Dr  Rudd’s  conduct  in  his 
role  as  expert  witness  in  cases  claim¬ 
ing  damages  for  disease  attributed  to 
asbestos  exposure.  Mr  Bridle  made 
complaints  to  the  GMC,  the  Justice 
Secretary  and  Members  of  Parlia¬ 
ment,  alleging  that  Dr  Rudd  was 
part  of  a  conspiracy  with  claimant 
law  firms.  Dr  Rudd  made  DSARs  in 
this  context  to  Mr  Bridle  and  also  to 
Asbestos  Watch.  In  addition  to  the 
core  right  to  access  in  response  to 
a  DSAR,  there  was  (and  still  is  under 
the  GDPR/DPA  201 8)  the  right  for  the 
maker  of  the  DSAR  to  receive  infor¬ 
mation  connected  with  the  processing 
of  his  personal  data,  e.g.  the  source 
of  the  information  and  the  purposes  of 
the  processing.  (This  requirement  has 
been  significantly  extended  in  Articles 
12  and  15  of  the  GDPR). 

The  Judge  described  the  parties’ 


VOLUME  19,  ISSUE  7 


approach  in  the  case  as  not  only  frac¬ 
tious,  but  undisciplined  and  disorder¬ 
ly,  bordering  at  times  on  the  chaotic. 
The  main  issues  raised  were  summa¬ 
rised  as  (1)  the  controller  issues; 

(2)  the  subject  access  issues  — 
the  exemption  issues  and  the  ade¬ 
quacy  issues;  (3)  the  unwarranted 
processing  issues;  and  (4)  the  reme¬ 
dies  issue.  A  number  of  these  are 
described  below.  The  court  exercised 
its  discretion  to  order  Mr  Bridle  to  pro¬ 
vide  further  information  to  Dr  Rudd. 

The  identification  of  third  parties 

The  court  decided  that  the  identities 
of  the  third  parties  with  whom  Dr 
Rudd  was  alleged  by  Mr  Bridle  to 
have  conspired  was  the  personal  data 
of  Dr  Rudd,  as  the  data  was  focused 
on  Dr  Rudd  and  was  biographically 
significant.  This  information  therefore 
had  to  be  disclosed. 

In  contrast,  the  court  held  that  there 
was  no  obligation  to  disclose  the  re¬ 
cipients  who  received  emails  from  Mr 
Bridle  containing  the  personal  data  of 
Dr  Rudd.  The  court  held  that  the  DPA 
1998  and  the  ICO’s  Subject  Access 
Code  state  that  a  DSAR  applicant 
should  be  provided  with  a  description 
of  the  recipient  and  not  their  identity/ 
name. 

The  application  of  exemptions  to 
providing  information 

The  court  held  that  the  fact  Mr  Bri¬ 
dle’s  solicitor  had  reviewed  the  rele¬ 
vant  materials,  and  determined  that 
an  exemption  to  disclosure  applied, 
was  not  conclusive.  A  court  will  often 
not  exercise  its  discretion  to  order 
disclosure  where  the  controller  has 
acted  with  reasonable  diligence  in 
determining  that  an  exemption  ap¬ 
plies  and  there  is  no  substantive 
reason  to  doubt  their  conclusion. 

In  this  case,  however,  the  court  held 
that  none  of  the  exemptions  which 
Mr  Bridle  sought  to  rely  upon  applied, 
namely:  journalism,  regulatory  activity 
or  litigation  privilege  (though  a  claim 
for  legal  advice  privilege  was  accept¬ 
ed).  The  court  held  that  the  regulatory 
exemption  can  apply  where  personal 
data  are  processed  for  the  purpose  of 
regulatory  functions  and  such  pro¬ 
cessing  is  carried  out  by  a  regulatory 
body  itself,  as  opposed  to  where  per¬ 
sonal  data  is  processed  by  an  individ¬ 
ual  who  plans  to  report  to  a  regulator. 


www.pdpjournals.com 


(Substantially  the  same  exemptions 
also  appear  within  the  DPA  2018  at 
Schedule  2). 

The  regulatory  exemption  was  also 
determined  to  apply  only  to  the  extent 
that  providing  personal  data  pursuant 
to  the  DSAR  could  prejudice  the  regu¬ 
lator’s  capacity  to  properly  carry  out 
its  regulatory  functions.  (The  DPA 
2018  includes  language  to  the  same 
effect  at  Schedule  2,  Part  2,  para¬ 
graph  11). 

The  sources  of  the  personal  data 

The  court  held  that  controllers  must 
provide  any  information  they  have 
available  to  them  concerning  the 
source  of  the  individual’s  personal 
data.  Mr  Bridle  had  taken  a  blanket 
approach  to  the  identification  of  third 
parties  (to  resist  this).  The  provisions 
in  section  7  DPA  1998  relating  to  in¬ 
formation  which  could  identify  other 
individuals,  cannot  be  relied  on  to 
withhold  the  identities  of  any  firm, 
company  or  other  legal  entity,  e.g. 
the  names  of  the  solicitors'  firms  in¬ 
volved.  As  to  personal  information 
about  sources,  the  court  noted  there 
was  no  evidence  that  anybody  had 
been  asked  for  their  consent  (or  re¬ 
fused  it). 

The  purpose  of  data  processing 

The  court  held  that  the  requirement 
to  disclose  the  purpose  of  processing 
need  not  occur  on  a  document  by 
document  basis,  as  the  claimant 
had  contended;  the  controller  which 
receives  the  DSAR  can  set  out  the 
general  essence  of  what  the  control¬ 
ler  was  doing  with  the  data. 

Campbell  v  Secretary  of 
State:  Access  requests  after 
death 

This  case  arises  out  of  three  test  cas¬ 
es  brought  on  behalf  of  100  individu¬ 
als  seeking  access  to  official  records 
about  their  internment  without  trial  in 
Northern  Ireland  in  the  1970s.  The 
matter  was  an  appeal  from  the 
General  Regulatory  Chamber  of  the 
First-tier  Tribunal.  Following  the  death 
of  Mr  Campbell  in  2015,  one  of  the 
three  individuals  who  had  made  a 
DSAR  for  this  purpose,  the  Upper 
Tribunal  (Administrative  Appeals) 
(‘UT’)  was  required  to  determine: 


PRIVACY  &  DATA  PROTECTION 


(i)  whether  Mr  Campbell’s  right  of 
access  to  his  personal  data  had 
survived,  and  (ii)  whether  his  rights 
to  appeal  against  a  national  security 
certificate  issued  by  the  Secretary 
of  State  under  section  28(2)  of  the 
DPA  1998  (which  exempted  the 
records  from  access  under  a  DSAR) 
had  survived. 

The  UT  determined  that  the 
deceased’s  right  of  access  was  a 
purely  personal  and  independent 
right.  The  right  was  therefore  incapa¬ 
ble  of  withstanding  his  death  and 
could  not  give  rise  to  a  cause  of 
action  for  his  estate.  It  was  held 
that  rights  relating  to  DSARs  are 
not  rights  to  be  exercised  by  third 
parties,  regardless  of  their  relation¬ 
ship  with  the  deceased. 

The  UT  found  that  the  right  of  appeal 
against  the  issuance  of  a  national 
security  certificate  was  nothing  more 
than  a  statutory  appeal  route.  This 
was  therefore  not  a  freestanding  right 
of  appeal,  and  did  not  amount  to  a 
cause  of  action.  As  it  was  not  inde¬ 
pendent  of  the  DSAR  right,  it  did  not 
survive  Mr  Campbell’s  death. 

Decisions  of  the  UT  are  not  binding 
on  the  High  Court  although  have 
precedential  value  equivalent  to  a 
High  Court  judgment.  This  case  is 
certain  to  influence  the  interpretation 
by  the  UK  courts  of  both  an  individu¬ 
al’s  DSAR  rights  under  Article  15  of 
the  GDPR  and  the  national  security 
and  defence  exemptions  contained  in 
sections  26  and  27  of  the  DPA  201 8 
(and  the  associated  statutory  appeal 
mechanism).  The  appeal  right  against 
the  issuance  of  a  national  certificate 
contained  in  section  28(4)  of  the  DPA 
1998  has  also  been  replicated  at  sec¬ 
tion  27(3)  of  the  DPA  2018,  underlin¬ 
ing  that  the  approach  adopted  in  this 
case  can  be  expected  going  forward. 


Some  practical  points 

Relevant  filing  systems  may  be  of 
limited  practical  application  given  the 
prevalence  of  digitised  information 
and  records;  however,  the  widened 
concept  could  be  of  concern  for  or¬ 
ganisations  which  retain  significant 
paper  records.  Relying  on  an  argu¬ 
ment  that  the  paper  records  do  not 
have  to  be  considered  for  the  purpos¬ 
es  of  a  DSAR  on  the  grounds  that 


VOLUME  19,  ISSUE  7 


they  do  not  amount  to  a  ‘filing  system’ 
for  GDPR  purposes  appears  consid¬ 
erably  less  secure  than  previously 
thought. 

Courts  can  be  expected  to  be  more 
‘hands  on’  when  it  comes  to  examin¬ 
ing  the  approach  taken  by  a  controller 
to  redactions  where  the  maker  of  a 
DSAR  challenges  the  consistency  (or 
extent)  of  information  withheld.  This 
review  is  likely  to  be  confined  to  a 
‘sampling’  exercise,  but  the  parame¬ 
ters  of  that  sample  may  be  dictated 
by  the  maker  of  the  DSAR,  as  the 
party  complaining  about  the  execution 
of  the  process. 

A  controller  may  therefore  find  itself 
re-running  the  DSAR,  which  could  be 
a  significantly  time-consuming  and 
costly  exercise. 

It  is  for  a  controller  contending  that 
the  search  has  been  ‘reasonable  and 
proportionate’  to  prove  this;  in  prac¬ 
tice  that  may  mean  providing  evi¬ 
dence  as  to  the  (disproportionate) 
effort  which  further  searching  would 
require.  The  dissatisfied  maker  of  a 
DSAR  may  attempt  to  put  the  control¬ 
ler  on  the  ‘back  foot’  by  submitting  a 
list  of  further  searches  which  could/ 
should  be  undertaken,  which  the  con¬ 
troller  then  has  to  prove  would  be 
disproportionate  to  conduct. 

The  ICO’s  updated  Subject  Access 
Code  for  the  post-GDPR  environment 
is  currently  awaited.  Traditionally,  the 
ICO’s  position  on  DSARs  has  tended 
to  be  considerably  more  demanding 
than  the  courts.  Now  that  the  court’s 
stance  has  hardened,  controllers  may 
be  forgiven  for  anticipating  the  ICO’s 
update  to  the  Code  with  a  degree  of 
trepidation. 

We  would  like  to  thank  Jack  Dunn, 
trainee  solicitor,  for  his  assistance 
with  this  article. 


Kate  Brimsted  and 
Tom  Evans 

Bryan  Cave  Leighton  Paisner 
kate.brimsted@bclplaw.com 
tom.evans  @  bclplaw.com 


